Oracle Fusion Applications: September 2012

Sunday, September 23, 2012

FND - 2403 The attachment information can't be retrieved

When you are trying to see the log file or output then it shows this error and there is a simple solution we have to restart the common domains UCM server and ESS server and for the work around using the WLST for common domain we need to revoke and grant permission for the EssCentralUiApp

Check the error

If this error occurs as if a quick work around we can restart the UCMserver and ESSbase server which is under the common Domain

Once the server is restarted then the issue will not be repeated again .. if you are getting the issue again then according to the metalink note Intermittent FND-2403 Trying to get the Job's Output or Log Files [ID 1432438.1]

we need to revoke the grant from the EssCentralUiApp and grant it again with system policy

EssCentralUiApp codesource grants have been packaged into fscm application instead of system policy.

Once you are restarting the ESS servers check the Scheduling services tab in the em and find the status for the essapp the request process will be in the stopped stage we have to start the request processer

select the request processor which is stopped and then click the start to start the process

when ever you are restarting the ess server check the process status in the em ...

GRANTING AND REVOKING PERMISSION FOR THE EssCentralUiApp

[oracle@fahapp bin]$ pwd
<oracle_base>/products/fusionapps/oracle_common/common/bin
[oracle@fahapp bin]$ ./wlst.sh

wls:/offline> connect()
Please enter your username :<username>
Please enter your password :
Please enter your server URL [t3://localhost:7001] :t3://<common domain host name>:7001
Connecting to t3://<common domain hostname>:7001 with userid <username> ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'CommonDomain'.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

Step 1

Execute the command's

wls:/CommonDomain/serverConfig> revokePermission(appStripe='fscm', codeBaseURL='file:${common.components.home}/modules/oracle.wsm.agent.common_11.1.1/wsm-agent-core.jar', permClass='oracle.wsm.security.WSIdentityPermission',permTarget='resource=EssCentralUiApp',permActions='assert')

Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.

For more help, use help(domainRuntime)

Step 2

wls:/CommonDomain/serverConfig> revokePermission(appStripe='fscm', codeBaseURL='file:${atgpf.oracle.home}/atgpf/modules/oracle.applcore.attachments_11.1.1/Attachments-Model.jar',permClass='oracle.security.jps.service.credstore.CredentialAccessPermission', permTarget='context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key', permActions='read')
Already in Domain Runtime Tree

Step 3

wls:/CommonDomain/serverConfig> revokePermission(appStripe='fscm', codeBaseURL='file:${atgpf.oracle.home}/atgpf/modules/oracle.applcore.attachments_11.1.1/Attachments-Model.jar', permClass='oracle.security.jps.service.credstore.CredentialAccessPermission', permTarget='context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key', permActions='read')

Already in Domain Runtime Tree

Step 4

wls:/CommonDomain/serverConfig> grantPermission(codeBaseURL='file:${common.components.home}/modules/oracle.wsm.agent.common_11.1.1/wsm-agent-core.jar', permClass='oracle.wsm.security.WSIdentityPermission', permTarget='resource=EssCentralUiApp', permActions='assert')
Already in Domain Runtime Tree

Step 5
wls:/CommonDomain/serverConfig> grantPermission(codeBaseURL='file:${atgpf.oracle.home}/atgpf/modules/oracle.applcore.attachments_11.1.1/Attachments-Model.jar', permClass='oracle.security.jps.service.credstore.CredentialAccessPermission', permTarget='context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key', permActions='read')
Already in Domain Runtime Tree

Command FAILED, Reason: JPS-04201: Cannot grant permission(s). Grant already exists for grantee [GranteeEntry: codeSource=file:${atgpf.oracle.home}/atgpf/modules/oracle.applcore.attachments_11.1.1/Attachments-Model.jar principals=[]].

Traceback (innermost last):
File "<console>", line 1, in ?
File "/u01/oracle/fa/products/fusionapps/oracle_common/common/wlst/jpsWlstCmd.py", line 735, in grantPermission
File "/u01/oracle/fa/products/fusionapps/oracle_common/common/wlst/jpsWlstCmd.py", line 719, in grantPermissionImpl
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:223)
at javax.management.remote.rmi.RMIConnectionImpl_1036_WLStub.invoke(Unknown Source)
at weblogic.management.remote.common.RMIConnectionWrapper$16.run(ClientProviderBase.java:918)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.security.Security.runAs(Security.java:61)
at weblogic.management.remote.common.RMIConnectionWrapper.invoke(ClientProviderBase.java:916)
at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:993)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)

javax.management.MBeanException: javax.management.MBeanException: JPS-04201: Cannot grant permission(s). Grant already exists for grantee [GranteeEntry: codeSource=file:${atgpf.oracle.home}/atgpf/modules/oracle.applcore.attachments_11.1.1/Attachments-Model.jar principals=[]].

Step 6
wls:/CommonDomain/serverConfig> grantPermission(codeBaseURL='file:${atgpf.oracle.home}/atgpf/modules/oracle.applcore.attachments_11.1.1/Attachments-Model.jar', permClass='oracle.security.jps.service.credstore.CredentialAccessPermission', permTarget='context=SYSTEM,mapName=oracle.wsm.security,keyName=enc-csf-key', permActions='read')
Already in Domain Runtime Tree

Command FAILED, Reason: JPS-04201: Cannot grant permission(s). Grant already exists for grantee [GranteeEntry: codeSource=file:${atgpf.oracle.home}/atgpf/modules/oracle.applcore.attachments_11.1.1/Attachments-Model.jar principals=[]].

Traceback (innermost last):
File "<console>", line 1, in ?
File "/u01/oracle/fa/products/fusionapps/oracle_common/common/wlst/jpsWlstCmd.py", line 735, in grantPermission
File "/u01/oracle/fa/products/fusionapps/oracle_common/common/wlst/jpsWlstCmd.py", line 719, in grantPermissionImpl
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:223)
at javax.management.remote.rmi.RMIConnectionImpl_1036_WLStub.invoke(Unknown Source)
at weblogic.management.remote.common.RMIConnectionWrapper$16.run(ClientProviderBase.java:918)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.security.Security.runAs(Security.java:61)
at weblogic.management.remote.common.RMIConnectionWrapper.invoke(ClientProviderBase.java:916)
at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:993)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)

javax.management.MBeanException: javax.management.MBeanException: JPS-04201: Cannot grant permission(s). Grant already exists for grantee [GranteeEntry: codeSource=file:${atgpf.oracle.home}/atgpf/modules/oracle.applcore.attachments_11.1.1/Attachments-Model.jar principals=[]].
wls:/CommonDomain/serverConfig>

error 20 at 0 depth lookup:unable to get local issuer certificate

This particular error occurs due to the certificate is expired we need to renew the certificate by removing the old one and Create the new certificate and attached to the web server or wallet

Step 1

Check the certificate by verify command

[oracle@fahtestdb Fa_Ca]$ openssl verify <domainname>.com.pem

<domain_name>.com.pem: /CN=*.<domain_name>.com/OU=oic/O=oic_it/L=Dubai/ST=Dubai/C=AE

error 20 at 0 depth lookup:unable to get local issuer certificate

Step2

Check the certificate is valid or expired

[oracle@fahtestdb Fa_Ca]$ openssl x509 -noout -text -in <domain_name>.com.pem

Certificate:

Data:

Version: 1 (0x0)

Serial Number:

d7:79:73:18:59:89:db:71

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=AE, ST=Dubai, L=Dubai, O=<cmpany_name>, OU=< organization unit> , CN=RootCa/emailAddress=palaneandavar@gmail.com

Validity

Not Before: Aug 22 09:30:17 2012 GMT

Not After : Sep 21 09:30:17 2012 GMT

Subject: CN=*.<domain_name>.com, OU=oic, O=oic_it, L=Dubai, ST=Dubai, C=AE

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:d0:cc:54:f9:aa:da:88:4e:22:4a:0d:c3:71:92:

96:57:b5:27:c0:13:a3:f6:ac:d2:16:fc:fd:68:49:

92:d8:59:0d:87:bc:27:d4:31:91:df:ac:b4:62:6d:

d8:37:cf:c4:e0:08:38:96:0a:eb:92:49:78:9e:41:

79:c5:74:fe:d4:a5:82:e3:a2:17:10:4e:c0:41:f5:

bf:99:0f:1a:ac:d9:e6:a9:ab:f2:0c:f2:78:25:ef:

08:a0:37:ba:51:64:53:ae:02:13:cd:a7:bb:3b:71:

ee:27:9c:c6:1e:77:a7:82:75:0e:2e:57:f4:d0:31:

9f:a3:67:51:e6:c1:27:0a:1f

Exponent: 65537 (0x10001)

Signature Algorithm: sha1WithRSAEncryption

95:93:db:b3:2f:f4:43:54:91:a2:9d:ec:e9:ff:7d:b5:2f:27:

8b:45:8c:1e:c7:88:ee:66:16:01:98:0e:09:3a:d4:6c:37:e8:

e6:97:48:6b:69:a0:47:ca:54:dc:40:45:db:00:93:b2:db:40:

85:cb:f3:4c:e3:e4:33:aa:8e:6e

The certificate will be showing the output as same as above and check the expired date from the out put.. if not after date is less than the current date then the certificate is expired we need to create the new certificate and replace it

Step 3

Creating new certificate

openssl x509 -req -in <domain_name>.req -CA fa_root_cert.pem -CAkey / fa_privkey.pem CAcreateserial -out *.<domain_name>.pem

req -in here we need to provide the request file which is generate for requesting the user certificate

-CA we need to provide the root ca certificate which is created[certificate authority to sign this user certificate]

-CAKey private key generated for this ertificate

-CAcreateserial -out the output file the user certificate

it you have Multiple sites under one domain then you can use the wildcard[*] in the certificate Creation which accepts all the sites under the same domain

Step 4

Remove the old certificate from the location and replace the newly created certificate

Thursday, September 20, 2012

Upgrading grid +ASM with oracle restart from 11.2.0.2 to 11.2.0.3

It is an "out of place upgrade"and we need to install the new grid home for the upgrade and we need to apply the PSU patch on the grid home and the oracle home [Things to Consider Before Upgrading to 11.2.0.3 Grid Infrastructure/ASM [ID 1363369.1]

Refer the post how to apply the PSU patches before upgrading the grid
http://orafapp.blogspot.com/2012/08/applying-psu-patch-on-grid-asm-and-db.html

we need to unset all the environmental variables before we start the upgrade

[grid@fahdb grid]$ echo $ORACLE_HOME
/u01/app/oracle/grid/11.2.0/grid
[grid@fahdb grid]$ echo $ORACLE_SID

+ASM

[grid@fahdb grid]$ unset ORACLE_HOME

[grid@fahdb grid]$ echo $ORACLE_HOME

[grid@fahdb grid]$ unset ORACLE_BASE

[grid@fahdb grid]$ unset ORACLE_SID

[grid@fahdb grid]$ echo $ORACLE_BASE

[grid@fahdb grid]$ echo $ORACLE_SID

Create the directory where the new grid home is going to be installed and it is to be owned by the root with the oinstall as the group

[root@fahdb 11.2.0]# mkdir /u01/app/oracle/grid/11.2.0.3/grid_3 -p

[root@fahdb 11.2.0]# chown root:oinstall /u01/app/oracle/grid/11.2.0.3/grid_3

unzip the grid software downloaded from the updates.oracle.com

[root@fahdb 11.2.0] unzip p10404530_112030_Linux-x86-64_3of7.zip
[root@fahdb 11.2.0]# ls

grid grid_3

The grid_3 will the empty directory where the grid software is going to be installed the ad the grid is the directory create when we unzip the grid software downloaded from the updates.oracle.com

/u01/app/oracle/grid/11.2.0.3/grid_3 -- empty directory for the new grid home
/u01/app/oracle/grid/11.2.0.3/grid -- the directory which contains the unzipped grid software

Step 1

Run the Grid installer from the grid user where you have unzipped the the software

Skip the software update' science we are upgrading to the latest software

Step 2

In the installation set select the option upgraded the oracle grid infrastructure and ASM

Step3

It will Run a while to gather the system details

Step4

Select the Product Language according to your requirement

Step4

Select the O/s groups for the ASM instances

Step 5

The installation location of the grid the grid home which we created for this grid and the software location we need to specify
here we have unzipped the software in the /u01/app/oracle/grid/11.2.0.3/grid
and the location of the new grid home is /u01/app/oracle/grid/11.2.0.3/grid_3

Step 6

After the prerequisites Checks check the summary file which contains the grid home /u01/app/oracle/grid/11.2.0.3./grid_3
and the software location /u01/app/oracle/grid/11.2.0.3/grid/install and the ASM also will be upgraded Automatically with the upgraded process

Step 7
Save the summary file

Step8

you can check the details of the grid installation process by the details

Step9

Run rootupgrade.sh script from the root to upgrade the css

Step10

Step11

Grid infrastructure had been installed successfully on the machine

Wednesday, September 19, 2012

session management in fusion applications with OAM

Restricting No of sessions per user in fusion applications

To restrict the number of session in the fusion applications we need to restrict the session management in the OAM All the user session with the fusion applications are managed by the OAM ... The OAM and OID and the components of the Identity management suite which take Care of the fusion applications the OID which contains takes care of the LDAP ....OAM which takes care of the session management there ate two database installed Separately to store all this data's of the OAM and the OIM

Step1

Step2

Select the common Settings and change the sessions settings according to the Policy

Parameters

Session Lifetime := It is mentioned in minutes the default value of the session lifetime is 480 this indicates the life time of the session

and you can specify up to 2147483647

Idle Timeout := The default time out is 15 minutes .. the time out occurs when the session is not accessed for more that 15 minutes and you can increase it up to 2147483647

Maximum Number of Sessions per User := The max number of session allowed to one particular user the default is 8 and from 0 you can specify until 2147483647

Database Persistence for Active Sessions Enabled:= If it is enabled even if all the manged server dies then the users session will be routed to the database session store ... the default will be disable and before making it enable keep an eye on the resources

Step 3

Restricting the session in the fusion applications with the help of OAM

Change the max number of sessions allowed to user to 1 then only the particular user will able to connect with that session

Step 4

when the user tries to connect with the multiple session then he will get the error message and he will not able to login

If the user open the multiple tabs in the single browser and connect then he will able to connect as the OAM count the connection with the browser's... if the max sessions Limit is set to be one then he will not able tot connect with the different type of browser But from the same system with the single browser he can open multiple tab's and get connected

Friday, September 14, 2012

java.sql.SQLException: ORA-00257: archiver error. Connect internal only, until freed.

java.sql.SQLException: ORA-00257: archiver error. Connect internal only, until freed

<BEA-010227> <EJB Exception occurred during invocation from home or business: weblogic.ejb.container.internal.StatelessEJBHomeImpl@1a589ce1 threw exception: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException

Internal Exception: java.sql.SQLException: Internal error: Cannot obtain XAConnection weblogic.common.resourcepool.ResourceDisabledException: Pool oimOperationsDB is Suspended, cannot allocate resources to applications..

When you are getting this kind of error and in nay of the managed servers then you need to check the database for the archivelog isssue

basically the archive error occurs when the archive-log destination getting filled and no space left on the device

connect to database and check the archivelog location and check the status of the db_recovery_file_dest size and Clear the arcchivelog's and configure the rman re-dentition policy according the environment and backup policy

In the alert log file you can see the message of the space issue and we need to delete some of the archive log's or if you have enough space left in the device you can add the db_recover_file_dest_size by using the alter system set command

************************************************************************

ARC2: Error 19809 Creating archive log file to '/u01/app/oracle/oracle/fast_recovery_area/OIASM/archivelog/2012_09_14/o1_mf_1_43_%u_.arc'

Fri Sep 14 19:18:26 2012

Errors in file /u01/app/oracle/oracle/diag/rdbms/oiasm/OIASM/trace/OIASM_arc3_5064.trc:

ORA-19815: WARNING: db_recovery_file_dest_size of 42949672960 bytes is 99.98% used, and has 9814016 remaining bytes available.

************************************************************************

You have following choices to free up space from recovery area:

1. Consider changing RMAN RETENTION POLICY. If you are using Data Guard,

then consider changing RMAN ARCHIVELOG DELETION POLICY.

2. Back up files to tertiary device such as tape using RMAN

BACKUP RECOVERY AREA command.

3. Add disk space and increase db_recovery_file_dest_size parameter to

reflect the new space.

4. Delete unnecessary files using RMAN DELETE command. If an operating

system command was used to delete files, then use RMAN CROSSCHECK and

DELETE EXPIRED commands.

Connect the rman and delete the archive log completed before 10 days

RMAN> delete noprompt archivelog all completed before 'sysdate -10';

Check the space in the

SQL> select * from v$flash_recovery_area_usage;

FILE_TYPE PERCENT_SPACE_USED PERCENT_SPACE_RECLAIMABLE NUMBER_OF_FILES

-------------------- ------------------ ------------------------- ---------------

CONTROL FILE 0 0 0

REDO LOG 0 0 0

ARCHIVED LOG 13.6 0 3

BACKUP PIECE 3.92 .02 3

IMAGE COPY 0 0 0

FLASHBACK LOG 0 0 0

FOREIGN ARCHIVED LOG 0 0 0

SQL> select * from V$RECOVERY_FILE_DEST;

NAME SPACE_LIMIT SPACE_USED SPACE_RECLAIMABLE NUMBER_OF_FILES

-------------------- ----------- ---------- ----------------- ---------------

/u01/app/oracle/orac 4.2950E+10 7526307840 9814016 6

le/fast_recovery_are

Restart the managed servers connected to particular database now the servers state will be changed to the running mode ...when even the application which is deployed in the managed server goes down or nay connectivity problem between the database and the managed server then the server's state will be changed to the admin mode...............

Monday, September 10, 2012

[gslusw]:Error reading 'ods' passwd from wallet [gsdsiConnect]:Error reading 'ods' passwd from wallet

If you are getting this error than the wallet password cant be read and not able to make the Connection to the database from the mid tier box
While you are trying to create a wallet the error appears

[oracle@fah oracle]$ /u03/app/oracle/product/fmw/idm/ldap/bin/oidpasswd connect=oiddb change_oiddb_pwd=true
current password:
new password:
confirm password:
Replication password file exists
[gslusw]:Error reading 'ods' passwd from wallet
[gsdsiConnect]:Error reading 'ods' passwd from wallet
password set

Step1
Check the env variables

[oracle@fah ~]$ export ORACLE_INSTANCE=/u03/app/oracle/admin/oid_inst1
[oracle@fah ~]$ export ORACLE_HOME=/u03/app/oracle/product/fmw/idm
[oracle@fah ~]$ export PATH=$ORACLE_HOME/bin:$PATH
[oracle@fah ~]$ export PATH=$ORACLE_HOME/ldap/bin:$PATH
[oracle@fah ~]$ export PATH=/u03/app/oracle/product/fmw/idm/opmn/bin:$PATH

Set the ENV variables According to your environment

Step 2
Check the Wallet files permission and check whether it is in the expected location
when you are creating the wallet it will create the two new files in the $ORACLE_HOME/ldap/admin
cd /u03/app/oracle/product/fmw/idm/ldap/admin

oidpwdlldap1
oidpwdroidm oidpwdro<databaseSID>

[oracle@fahtestapp admin]$ ll oidpwd*
-rw-r--r-- 1 oracle oinstall 207 Sep 9 23:42 oidpwdlldap1
-rw-r--r-- 1 oracle oinstall 215 Sep 9 23:42 oidpwdroidm
backup these files and rename the file

Step3
Check the database connection and the tnsnames.ora file location

If the tnsnames.ora file or the database connection has some issue you can cet an another error message also while creating the wallet

[oracle@fahtestapp oracle]$ /u03/app/oracle/product/fmw/idm/ldap/bin/oidpasswd connect=oiddb change_oiddb_pwd=true

current password:

new password:

confirm password:

Unable to Connect to Database: Incorrect location for tnsnames.ora (derived from ORACLE_INSTANCE) or Incorrect TNS Connect string or Invalid Password

Check the tnsnames.ora file in the location of the $ORACLE_HOME/network/admin

/u03/app/oracle/products/fmw/idm/network/admin

check Whether the tnsnames.ora file is present in the specified directory $ORACLE_HOME/network/admin if it is not in the directory create a tnsnames.ora file with the necessary values..

Setp4

Check the tnsping from the Mid-tier to the database

check the tnsping it shoud use the TNSNAMES ADAPTER TO RESOLVE IF it is using the host names ADAPTER then you need to check the string in the tnsnames..

[oracle@fahtestapp config]$ tnsping OIDDB

TNS Ping Utility for Linux: Version 11.1.0.7.0 - Production on 09-SEP-2012 23:00:47

Used parameter files:

Used HOSTNAME adapter to resolve the alias

Attempting to contact (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PROTOCOL=TCP)(HOST=<host name>)(PORT=<port number>))(ADDRESS=(PROTOCOL=TCP)(HOST=<host name>)(PORT=<port number >))(ADDRESS=(PROTOCOL=TCP)(HOST=<host name>)(PORT=<port number >)))

[oracle@fah ~]$ tnsping OIDDB

TNS Ping Utility for Linux: Version 11.1.0.7.0 - Production on 10-SEP-2012 13:07:49

Used parameter files:

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = <hostname>)(PORT = 1521))) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = OIDM)))

OK (0 msec)

tnsping is working fine and set the proper env variables and proceed to create the wallet

[oracle@fah admin]$ sqlplus ods/<password>@OIDDB

SQL*Plus: Release 11.1.0.7.0 - Production on Sun Sep 9 23:41:13 2012

Copyright (c) 1982, 2008, Oracle. All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining
and Real Application Testing options

SQL> show parameter db_name

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
db_name string OIDM
SQL> exit

Step 5

[oracle@fah admin]$ $ORACLE_HOME/ldap/bin/oidpasswd connect=OIDDB create_ wallet=true
password:
confirm password:
password set

[oracle@fahtestapp admin]$ ls oidpwd*
oidpwdlldap1 oidpwdroidm oidpwdroidm_backup oidpwdrOIDM_backup

The wallet had been created with the two new files had been create in the $ORACLE_INSTANCE/OID/admin

Resetting the expired OIM Password in OAM

Resetting The expired OIM database schema Password in OAM

We need to reset the Password for the OIM in the OAM when the password is expired the managed server will go to the admin mode

Step1

Check the database default profile for the password expiry days parameter if we needed it we can change it to the unlimited or you can continue with the 180 days ..if it is 180 days the default value we have to reset the password before 180 days every time

To Check the profile

SELECT * from dba_profiles WHERE profile='DEFAULT' and resource_type='PASSWORD'

PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- -------- ----------------------------------------

DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10

DEFAULT PASSWORD_LIFE_TIME PASSWORD 180

DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED

DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED

DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL

DEFAULT PASSWORD_LOCK_TIME PASSWORD 1

DEFAULT PASSWORD_GRACE_TIME PASSWORD 7

Connect as sys as sysdba and execute the following command to identify the status of the db user and the component

SELECT owner, comp_name, version, status, upgraded

FROM schema_version_registry

WHERE comp_name like '%Oracle%'

ORDER BY 1 2 3 4 ;

OWNER COMP_NAME VERSION STATUS U

-------------------- ------------------------------ ------------------------------ ----------- -

FA_OAM Oracle Access Manager 11.1.1.3.0 VALID N

FA_OIM Oracle Identity Manager 11.1.1.5.0 VALID N

Verify the status of the user

SQL> select USERNAME,EXPIRY_DATE,LOCK_DATE,ACCOUNT_STATUS from dba_users

2 where username like '%FA%';

USERNAME EXPIRY_DA LOCK_DATE ACCOUNT_STATUS

------------------------------ --------- --------- --------------------------------

FA_IAU_APPEND 25-AUG-12 OPEN

FA_IAU_VIEWER 25-AUG-12 OPEN

FA_IAU 25-AUG-12 OPEN

FA_ORASDPM 01-SEP-12 EXPIRED

FA_MDS 01-SEP-12 EXPIRED

FA_OIM 01-SEP-12 EXPIRED

FA_SOAINFRA 01-SEP-12 EXPIRED

FA_OAM 17-SEP-12 EXPIRED(GRACE)

8 rows selected.

Due to the Password expiry the managed server switch to the admin mode when we restart the manged servers in idm

normally the managed server goes to the admin mode when some of the application deployed inside the managed server was not up... as the same when the password ex pair than some of the applications will not come up when up restart due to not able to connect to the database

If you need to change to the run mode than you can click the resume then the managed servers than it goes to the running mode

The wls_oim and wls_soa serves are in admin mode as this two servers connect with the OAM database and the wla_oim and wls_ods connect with the OIDM database

Check the IDM em for the more information on what are the applications which went down

Check the wls_oim manager server logfile for the password expairy

####<Sep 10, 2012 5:54:18 AM GST> <Warning> <JDBC> <hostname> <wls_oim1> <DmsThread-1> <<anonymous>> <> <ba0dbab1bd57560b:6d05bab5:139ac982dbd:-8000-0000000000000003> <1347242058362> <BEA-001129> <Received exception while creating connection for pool "mds-owsm": ORA-28001: the password has expired
####<Sep 10, 2012 5:54:18 AM GST> <Info> <JDBC> <hostname> <wls_oim1> <DmsThread-1> <<anonymous>> <> <ba0dbab1bd57560b:6d05bab5:139ac982dbd:-8000-0000000000000003> <1347242058362> <BEA-001156> <Stack trace associated with message 001129 follows:
java.sql.SQLException: ORA-28001: the password has expired
Caused By: oracle.mds.config.MDSConfigurationException: MDS-01330: unable to load MDS configuration document
MDS-01329: unable to load element "persistence-config"
MDS-01370: MetadataStore configuration for metadata-store-usage "MAR_TargetRepos" is invalid.
MDS-01377: Unable to get database connection from data source configured with JNDI name "jdbc/mds/MDS_REPOS".
weblogic.common.resourcepool.ResourceDeadException: 0:weblogic.common.ResourceException: Could not create pool connection. The DBMS driver exception was: ORA-28001: the password has expired
Check the wls_soa server for the password expiry
####<Sep 10, 2012 2:54:29 AM GST> <Warning> <JDBC> <hostname> <wls_soa1> <DmsThread-1> <<anonymous>> <> <ba0dbab1bd57560b:-7b50b7:139ac9823b1:-8000-0000000000000004> <1347231269517> <BEA-001129> <Received exception while creating connection for pool "EDNDataSource": ORA-28001: the password has expired
####<Sep 10, 2012 2:54:29 AM GST> <Info> <JDBC> <hostname > <wls_soa1> <DmsThread-1> <<anonymous>> <> <ba0dbab1bd57560b:-7b50b7:139ac9823b1:-8000-0000000000000004> <1347231269518> <BEA-001156> <Stack trace associated with message 001129 follows:
java.sql.SQLException: ORA-28001: the password has expired
<Sep 10, 2012 8:54:59 AM GST> <Warning> <JDBC> <BEA-001129> <Received exception while creating connection for pool "SOADataSource": ORA-28001: the password has expired
<Sep 10, 2012 8:54:54 AM GST> <Warning> <JDBC> <BEA-001129> <Received exception while creating connection for pool "SOALocalTxDataSource": ORA-28001: the password has expired
<Sep 10, 2012 8:54:50 AM GST> <Warning> <JDBC> <BEA-001129> <Received exception while creating connection for pool "oimOperationsDB": ORA-28001: the password has expired
<Sep 10, 2012 8:54:45 AM GST> <Warning> <JDBC> <BEA-001129> <Received exception while creating connection for pool "mds-owsm": ORA-28001: the password has expired
.>

Connect to the OAM database and by using the alter user command change the password for all the user which is expired

IF IT is expired and locked then you need to give the new password for that only expired give the same password don't change the password for all the user's change only for the OIM user and remaining you can use the same one

alter user FA_OIM identified by <password>;

SQL> select USERNAME,EXPIRY_DATE,LOCK_DATE,ACCOUNT_STATUS from dba_users

2 where username like '%FA%';

USERNAME EXPIRY_DA LOCK_DATE ACCOUNT_STATUS

------------------------------ --------- --------- --------------------------------

FA_SOAINFRA 09-MAR-13 OPEN

FA_OIM 09-MAR-13 OPEN

FA_MDS 09-MAR-13 OPEN

FA_IAU 25-AUG-12 OPEN

FA_OAM 09-MAR-13 OPEN

FA_IAU_VIEWER 25-AUG-12 OPEN

FA_IAU_APPEND 25-AUG-12 OPEN

FA_ORASDPM 09-MAR-13 OPEN

We need to change the password in the data source of the managed server login in into the idm weblogic console

navigate to services and to the data sources under the domain structure

Click the data source and select the data-sources to be modified with the password

Select the data source and the change to the Connection pool and go to the password section and reset the password the new password which is given in the database

save the configuration and repeat steps for second and third data source under the oim cluster

change the password for all three data source

We need to change the Password in the IDM EM also to take effect

navigate to the IDM domain and then click the IDM domain and then go the the security and Credentials

Navigate to the Credentials and go to oim and select the oim schema password

Edit the OidmSchemaPasswrord with the new password

once you change the password you will receive the conformation message

we need to change the password in the Mbean also to take effect

navigate to Configuration MBeans->Security->myrealmOIMAuthenticationProvider

Change the Password in the DBPassword

Restart the managed server's and admin server ...

Check the status of the managed server's after restarting

Sunday, September 9, 2012

Resetting expired ODS database Schema password in OID

Resetting the expired database ODS and ODSM Schema password by oidpasswd Utlity In OID

When the oidmon is not starting and gives the error the we have to Check the logfile and if the password expiry is the case then we need to reset the password in the database 'just alter user ' will not cleanly reset the password so we to reset by using iodpasswd Utility
OIDMON PROCESS WILL BE DOWN due to not able to connect the database with expired password
OIDMON PROCESS is responsible of controlling the oracle OID instance ...

we need to Check the C artifacts and it status for the further investigation In this issue.....

SETP1
Check the status of the opmn of the middleware
status of OID

Processes in Instance: oid_inst1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component | process-type | pid | status | uid | memused | uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
oid1 | oidldapd | 11143 | Alive | 834262793 | 720936 | 191:29:43 | N/A
oid1 | oidldapd | 11135 | Alive | 834262791 | 852168 | 191:29:44 | N/A
oid1 | oidldapd | 11131 | Alive | 834262790 | 724560 | 191:29:45 | N/A
oid1 | oidldapd | 10981 | Alive | 834280460 | 374644 | 191:29:51 | N/A
oid1 | oidldapd | 11139 | Alive | 834262792 | 849440 | 191:29:44 | N/A
oid1 | oidmon | N/A | Down | N/A | N/A | N/A | N/A
EMAGENT | EMAGENT | 23311 | Alive | 834288485 | 63824 | 3:08:34 | N/A

status of ovd

Processes in Instance: ovd_inst1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component | process-type | pid | status | uid | memused | uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ovd1 | OVD | 25023 | Alive | 1354530833 | 871556 | 3:06:19 | ldap:6501,https:8899,ldaps:7501
EMAGENT | EMAGENT | 25022 | Alive | 1354530832 | 63824 | 3:06:19 | N/A

status of OHS

Processes in Instance: ohs_inst1
---------------------------+--------------------+---------+----------+---------------+-------------+-----------+------
ias-component | process-type | pid | status | uid | memused | uptime | ports
---------------------------+--------------------+---------+----------+---------------+-------------+-----------+------
ohs1 | OHS | 25543 | Alive | 2145402128 | 4094100 | 3:06:01 | https:7779,https:4443,http:7777

In the OID instance we Found out that the oidmon is down and we need to bring up the Process to fix the Issue

Step 2

Check the oidmon log file for further more information the oidmon log is located at
/u03/app/oracle/admin/oid_inst1/diagnostics/logs/OID/oid1
$INSTANCE_HOME/diagnostics/logs/OID/oid1
Look for the oidmon-0000.log for the oidmon logs
In the Log file you can find the below message

[2012-09-03T20:06:21+04:00] [OID] [NOTIFICATION:16] [] [OIDMON] [host: fahmid.domain.com] [pid: 29628] [tid: 0] Guardian: Connecting to database, connect string is oiddb
[2012-09-03T20:06:21+04:00] [OID] [NOTIFICATION:16] [] [OIDMON] [host: fahmid.domain.com] [pid: 29628] [tid: 0] Guardian: [gsdsiConnect] ORA-28001, ORA-28001: the password has expired
[2012-09-03T20:06:21+04:00] [OID] [NOTIFICATION:16] [] [OIDMON] [host: fahmid.domain.com] [pid: 29628] [tid: 0] Guardian: [oidmon]: Unable to connect to database,
will retry again after 10 sec

It is Cased by the Expiry Of the database password in the OID [IDM]database for the ODS schema so check the database and verify the schema status ...

Step 3
check the user status in the database if it is expired we need to reset the password for User.. we can either use old or new Password

SQL> select username,user_id,ACCOUNT_STATUS,LOCK_DATE,EXPIRY_DATE from dba_users

2 where EXPIRY_DATE > sysdate -2;

USERNAME USER_ID ACCOUNT_STATUS LOCK_DATE EXPIRY_DA

--------------------- --------- -------------------------------- -----------------

ODS 84 EXPIRED 02-SEP-12

By the query conform the ODS schema password of the database had been expired and we need to reset the password of the ODS schema

Check the details for the ODSSM also

USERNAME ACCOUNT_STATUS EXPIRY_DATE PROFILE
------------------------------ -------------------------------- --------- ------------------------------------------------------
ODSSM EXPIRED 01-SEP-12 DEFAULT

Step 4
Change the password by the oidpasswd utility and

[oracle@fahmid ~]$ /u03/app/oracle/product/fmw/idm/ldap/bin/oidpasswd - help
unable to locate message file: ldap<language>.msb

If you are getting the above message unable to locate the message file then you have to set the Proper Oracle Home ...

For ODS Schema we need to set the oracle home to the idm directory under the fmw directory

export ORACLE_HOME=/u03/app/oracle/product/fmw/idm

oracle@fahmid ~]$ /u03/app/oracle/product/fmw/idm/ldap/bin/oidpasswd - help

Usage: oidpasswd connect=<Net8 Connect Descriptor> [change_oiddb_pwd=true | create_wallet=true | unlock_su_acct=true| reset_su_password=true | manage_su_acl=true]

connect: Database connect string

change_oiddb_pwd: Change OID database password (default operation)

create_wallet: Create LDAP and Replication server wallets

unlock_su_acct: Unlock OID super user account

reset_su_password: Reset OID super user password

manage_su_acl: Manage super user restriced ACL

export ORACLE_INSTANCE=/u03/app/oracle/admin/oid_inst1

set the ORACLE_INSTANCE to the oid_ist1 under the admin directory

[oracle@fahmid ~]$ /u03/app/oracle/product/fmw/idm/ldap/bin/oidpasswd connect=oiddb change_oiddb_pwd=true

current password:

new password:

confirm password:

new password must be different from the current.

Syntax $ORACLE_HOME/ldap/bin/oidpasswd conenct=<database_string> change_oiddb_pwd=true

[oracle@fahmid ~]$ /u03/app/oracle/product/fmw/idm/ldap/bin/oidpasswd connect=oiddb change_oiddb_pwd=true

current password:

new password:

confirm password:

password set

How to find the OID version

TO KNOW THE OID VERSION

To Know the OID version we can use any one of this methods

There are three steps we can conform the OID version .
1]ldapsearch
2]oidldapd
3By connection to the OID database and verify with the query

1] Ldapserch

Syntax :ldapserch -h <hostname> -p <portnumber> -D "cn=orcladmin" -w <password> -b " " -s base "objectclass=*" orcldirectoryversion

[oracle@fah admin]$ ldapsearch -h fahmid.oasiserp.com -p 389 -D "cn=orcladmin" -w <password> -b "" -s base "objectclass=*" orcldirectoryversion

orcldirectoryversion=OID 11.1.1.5.0

2]oidldapd

Syntax: $ORACLE_HOME/bin/oidldapd -version

[oracle@fah admin]$ $ORACLE_HOME/bin/oidldapd -version

oidldapd: Release 11.1.1.6.0 - Production on mon sep 10 00:47:41 2012

3] Query the OID database

Connect as the ODS user and run the below query to find the installed version

SQL> connect ODS

Enter password:

Connected.

SQL> show user

USER is "ODS"

SQL> select attrval from ds_attrstore where entryid = 1 and attrname = 'orcldirectoryversion';

ATTRVAL

--------------------------------------------------------------------------------

OID 11.1.1.5.0

Reset Super User cn=orcladmin when ODS's Password Has Been Forgotten

If we had forgotten the ODS' schema password which is in the OID database then we need to reset the password of the ODS schema in the database and and update in the wallet

Step 1

set the env variables

[oracle@fah ~]$ export ORACLE_INSTANCE=/u03/app/oracle/admin/oid_inst1

[oracle@fah ~]$ export ORACLE_HOME=/u03/app/oracle/product/fmw/idm

[oracle@fah ~]$ export PATH=$ORACLE_HOME/bin:$PATH

[oracle@fah ~]$ export PATH=$ORACLE_HOME/ldap/bin:$PATH

[oracle@fah ~]$ export PATH=/u03/app/oracle/product/fmw/idm/opmn/bin:$PATH

Step 2

Check the Process and stop all the OID process which Runns under the opmnctl

[oracle@fah ~]$ ps -ef | grep -i odisrv

oracle 9744 28191 0 21:49 pts/6 00:00:00 grep -i odisrv

[oracle@fah ~]$ ps -ef | grep -i oidmon

oracle 10075 28191 0 21:49 pts/6 00:00:00 grep -i oidmon

[oracle@fah ~]$ ps -ef | grep -i oidldapd

oracle 11822 28191 0 21:50 pts/6 00:00:00 grep -i oidldapd

If any OID process runs the stop in the process

Step3

If you are using the 11g OID the password files will be in the ORACLE_INSTACNE/OID/admin

cd $ORACLE_INSTANCE/OID/admin

[oracle@fah admin]$ ll

-rw-r----- 1 oracle oinstall 327 Feb 28 2012 oidpwdroidm

-rw-r----- 1 oracle oinstall 327 Feb 28 2012 oidpwdrOIDM

drwxr-x--- 2 oracle oinstall 4096 Feb 28 2012 wallet

[

oracle@fah admin]$ mv oidpwdroidm oidpwdroidm_backup

[oracle@fah admin]$ mv oidpwdrOIDM oidpwdrOIDM_backup

Step4

Connect to the database as the system or sys and change the password for the ODS user

[oraidm@fah ~]$ sqlplus

SQL*Plus: Release 11.2.0.2.0 Production on Sun Sep 9 17:29:34 2012

Enter user-name: sys as sysdba

Enter password:

Connected to:

Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production

With the Partitioning, Oracle Label Security, OLAP, Data Mining

and Real Application Testing options

SQL> alter user ODS identified by <password>;

User altered.

SQL> alter user ODS account Unlock;

User altered.

Step5

Go the the user which the idm had been installed check the database connectivity by using the new password

[oracle@fahadmin]$ sqlplus ods/<password>@OIDDB

SQL*Plus: Release 11.1.0.7.0 - Production on Sun Sep 9 23:41:13 2012

Connected to:

Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production

With the Partitioning, Oracle Label Security, OLAP, Data Mining

and Real Application Testing options

SQL> show parameter db_name

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

db_name string OIDM

SQL> exit

Step6

Create A new wallet for storing the new password in this wallet we need to give the passwod which we have generate now at Step4

[oracle@fahadmin]$ $ORACLE_HOME/ldap/bin/oidpasswd connect=OIDDB create_wallet=true

password:

confirm password:

password set

A new walled had been create and the two new files will be created to store the password of the ODS schema in the $ORACLE_INSTANCE/OID/admin

[oracle@fahadmin]$ ls oidpwd*

oidpwdlldap1 oidpwdroidm oidpwdroidm_backup oidpwdrOIDM_backup

Step7

Bind the ldap user to find the user is active and the password is unlocked

[oracle@fah admin]$ $ORACLE_HOME/bin/ldapbind -p 389 -D cn=orcladmin <password>

bind successful

If the Bind was not Success full then we need to unlock the orcladmin account and if need we can create the new passwod

For Unlocking the orcladmin we need to run the

Syntax oidpasswd connect=<database_connection_string> unlock_su_acct=true

oidpasswd connect=OIDDB unlock_su_acct=true

OID DB user password: <password created at step4 >
OID super user account unlocked successfully.

For reset the orcladmin password

Syntax oidpasswd connect<database_connection_string> reset_su_password=true

oidpasswd connect=asdb reset_su_password=true

OID DB user password: <password created at step4 >
new password: <password>
confirm password: < password >
password set

start the opmn

opmnctl startproc ias-component=OID

if you had stopped all the components then issue startall

[oracle@fah admin]$ /u03/app/oracle/admin/oid_inst1/bin/opmnctl status -l

Processes in Instance: oid_inst1

---------------------------------+--------------------+---------+----------+------------+----------+-----------+------

---------------------------------+--------------------+---------+----------+------------+----------+-----------+------

oid1 | oidldapd | 18193 | Alive | 18 | 783240 | 0:00:18 | N/A

oid1 | oidldapd | 18187 | Alive | 17 | 782424 | 0:00:23 | N/A

oid1 | oidldapd | 18175 | Alive | 16 | 783672 | 0:00:23 | N/A

oid1 | oidldapd | 18058 | Alive | 15 | 845628 | 0:00:24 | N/A

oid1 | oidldapd | 18033 | Alive | 14 | 374692 | 0:00:24 | N/A

oid1 | oidmon | 17861 | Alive | 13 | 364084 | 0:00:26 | LDAPS:636,LDAP:389

EMAGENT | EMAGENT | 17860 | Alive | 12 | 63836 | 0:00:26 | N/A